Page 1 of 1

I need PHP best practice adv(Submit,Validate,Insert,Inform)

Posted: Wed Jan 13, 2010 1:02 pm
by simplyi
Hello!

I need a very simple and PHP best practice advice or links to a tutorials that explains the topic in a very very simple way.

The task is to Submit the Form, Validate parameters, Insert data into database.

My questions are: The best place to submit form data, the best way to validate form Strings (disregard email formats or data formats) before inserting them into database table. The best way to make sure that the data is actually recorded into a table. The friendly way to notify user about the successful or not successful operation.



1. Submit HTML for to PHP file

My questions here: which way is more efficient to Submit form to $ _SERVER [ 'PHP_SELF'] or to a Controler.php which will validate provided input and then use DAO to record Data into database or redirect user to form.php and ask him to provide valid information. A disadvantage that I see here is redirecting. An advantage I see here is my Controler logic is in a separate file.


2. What is the best way to validate user input before recording data to Database to prevent hacking?

After reading on PHP.net I selected three necessary functions that my Strings need to run thru before getting into database. And these are:

String $paramValue = htmlspecialchars(stripslashes($_GET[$name]));
$paramValue = str_ireplace("script", "blocked", $paramValue);
$paramvalue = mysql_escape_string($paramvalue);

What are your thoughts and experience. Are these all needed to secure my INSERT or UPDATE from Hacking(SQL injection)?


3. I realized that the best way to keep passwords is outside the public folder. And then read the file and get the user name and password to be user for accessing Database.

Will it be a bad practice if I keep my username and password in DAO as private constants.

class DAO {
var $dbhost = "localhost:3306";
var $dbuser = 'user';
var $dbpass = "password";
var $conn=null;
var $dbname = 'dbname';
var $result=null;

public function openConnection() {
$this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass,$this->dbname);

if( mysqli_connect_errno( ) ) throw new Exception("Could not establish connection with database") ;
}
}

Or keep username and password in DAO_Base class and then have DAO extend the DAO_Base for DAO to have user name and password accessible. This way I can have UserDAO, ClientDAO, NewsDAO all extend one class and have username and password kept in one place.
Is it a good practice? I am looking for good and simple and secure. Not the best complicated.



4. After running a Prepared Statement to insert to data into database. What is the best way and quick way to check if the row has been affected and data is in?

Example:

$sql = "INSERT INTO news (title) VALUES (?)";

$statement = $this->conn->prepare($sql);

if(!$statement) throw new Exception($statement->error) ;

$statement->bind_param("s",$newsVO->title);

$returnValue = $statement->execute();


As far as I understand a statement can be executed for Update or Insert and return value would be ‘1’. But it does not actually mean that the value is INSERTED or Updated. It simply says that the statement is executed. How to check how many rows are actually affected? What is the best way?


I hope this post is not to long. I am very interested to learn the best practices to do this days programmers tasks and want to hear your opinion.

And… I need it in plain PHP with no frameworks used. These questions is not an assignment from University or something. It is just my intention to master PHP fast by studying best practices and asking people about their experience. I am an entry level programmer.

Thank you and I am very interested to hear your opinions.

Re: I need PHP best practice adv(Submit,Validate,Insert,Inform)

Posted: Sun Jan 17, 2010 9:02 am
by josh
simplyi wrote:which way is more efficient to Submit form to $ _SERVER [ 'PHP_SELF'] or to a Controler.php which will validate provided input and then use DAO to record Data into database or redirect user to form.php and ask him to provide valid information. A disadvantage that I see here is redirecting. An advantage I see here is my Controler logic is in a separate file.
Doesnt matter, neither has to use a redirect either.
2. What is the best way to validate user input before recording data to Database to prevent hacking?
A darn good way is to use Zend_Form and/or Zend_Validate
After reading on PHP.net I selected three necessary functions that my Strings need to run thru before getting into database. And these are:

String $paramValue = htmlspecialchars(stripslashes($_GET[$name]));
$paramValue = str_ireplace("script", "blocked", $paramValue);
$paramvalue = mysql_escape_string($paramvalue);
What are your thoughts and experience. Are these all needed to secure my INSERT or UPDATE from Hacking(SQL injection)?
Use mysql_real_escape_string, or something with build in escaping like Zend_Db_Select or PHP's PDO functions.


3. I realized that the best way to keep passwords is outside the public folder. And then read the file and get the user name and password to be user for accessing Database.
As long as your server supports PHP that is irrelevant.
4. After running a Prepared Statement to insert to data into database. What is the best way and quick way to check if the row has been affected and data is in?
It will either succeed or there will be an error. A combination of Exceptions + database transactions results in a good fault tolerant system.